| |||||||||||
Hackers claim zero-day flaw in Firefox (ZDNet)Hackers claim zero-day flaw in Firefox (ZDNet)Posted Oct 1, 2006 14:02 UTC (Sun) by cartman (subscriber, #11404)Parent article: Hackers claim zero-day flaw in Firefox (ZDNet)
I hope this will get people to realize: Firefox is NOT secure, nothing is fully
What is worse that Mozilla Foundation's security policy, which they make
(Log in to post comments)
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 1, 2006 16:53 UTC (Sun) by job (guest, #670) [Link] I really have a problem with the "nothing is fully secure" mantra. Of course everything can be abused in some way, but the design of a particular software may be more or less secure. Very well designed software is "secure" in a practical sense, such as QMail, Postfix or vsftpd. I'd be very surprised to see a hole in any of those, while not so much with Firefox.
Sorry, I probably don't disagree with you at all, I'm just allergic to that expression. A lot of people use it as an excuse to choose obviously insecure software. While most software is not fully secure, the odds of finding holes as well as the impact of them is what's interesting.
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 1, 2006 17:17 UTC (Sun) by jfj (guest, #37917) [Link] I'd like to second this comment. There is a general tendency these days "there is no security, just give it up. You'll never be secure and just trust your software provider". Well, wrong. If the code is well-written and small, people really can make a secure system. Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project. Ahh, welcome to the invasion of the *.Orgs: A couple of people controlling a huge code base through extreme complexity, in the hope to make a profit.
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 2, 2006 14:56 UTC (Mon) by gerv (subscriber, #3376) [Link] "Part of mozilla's insecurities (which are probably more than IE) are due to the extreme complexity of the project."Are you volunteering to write a web browser for today's web which isn't extremely complex? Gerv
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 2, 2006 15:02 UTC (Mon) by gerv (subscriber, #3376) [Link] To elaborate: yes - small, simple and well designed makes things much more secure. We could tell everyone to stop using the web for five years while site owners go away and write sites in valid, semantic, easy to parse HTML and other web standards, while a free software group writes a small and simple browser for this new web from the ground up. The end result would be a lot more secure than Firefox.
However, back in the real world, if you want to experience the full web, Firefox (on Linux ;-) is the safest option.
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 1, 2006 18:27 UTC (Sun) by AJWM (subscriber, #15888) [Link] > I really have a problem with the "nothing is fully secure" mantra.
Probably because you're smart enough to recognize that that is the mantra of someone pushing insecure products. (So you might as well buy theirs).
Security is not a binary "is or is not" property. Security is a contiuum, and it depends on the value (to someone else) of what you're trying to secure and how much effort they're willing to go to to get it or damage it. So while Firefox may not be absolutely secure (as indeed, nothing is), it's more secure than a certain widely used other browser out there. There may well be other browsers that are more secure than Firefox -- or at least more secure in some aspects, perhaps less so than others.
It's like the old joke about two hikers who encounter an engraged grizzly bear, and one stops to put on sneakers. "Are you crazy? You'll never run faster than the bear" his buddy says. "I don't need to run faster than the bear, I just need to run faster than you." Unless you've got something of unique value on your system, your system just needs to be secure enough to encourage crackers to go elsewhere. (And yes, that's a moving target.)
Hackers claim zero-day flaw in Firefox (ZDNet) Posted Oct 2, 2006 10:20 UTC (Mon) by drag (subscriber, #31333) [Link] Woot for Virtual Machines, I guess.
What is that.. VM FTW? (stupid saying, ftw)
Here is what you do: Set up one of the multitude of low resource vm/container-like items for linux. Like Linux-Vserver or OpenVZ or whatnot. There are at least 3 or 4 good options.
Take Debootstrap and setup a bare-bones install in a directory for Debian. Apt-get install Firefox. Whatever. Maybe busibox. Name your poison, the goal is to get a minimal Linux install in there seperate from your system to prepare the way to running your browser.
Setup that as a read-only portion for a UnionFS file system. Setup a shared directory so that files you want to download off the internet are made aviable to a specific directory in your home directory. That way you end up with a read-only base you can update as you feel like it, and a read-write portion that allows everything to function well, but is easily deleted.
Run Firefox from that container via X forwarding. (although that has it's own issues, doesn't it?) Every once in a while blow the 'read/write' directory away and update the 'read-only' portion. Hell automate it. Do it every third time you start a new browser session or something.
Then tell the zero-day'ers to go F- themselves. To me that seems the easiest way to get secure browsing done. Now you don't have to worry about browser hacks giving people access to install scripts, change your bashrc around, pulling sensitive information, or anything else of that nature..
I figure the name of the game with that is: "rm -- the ultimate anti-spyware"
|
|||||||||||